The duties of the information officer (IO) are prescribed by both PAIA and POPIA.

Before taking up their duties, though, IOs must first register with the Information Regulator. This can be done by completing and submitting a registration form online, or completing and delivering the form to the Information Regulator’s physical address or via email to registration.IR@justice.gov.za.

Section 55 of POPIA and Regulation 4 of POPIA Regulations

Section 55 of POPIA prescribes some of the duties of an IO. These include encouraging and ensuring that all responsible parties comply with the provisions of POPIA; dealing with requests made under POPIA; and helping the Information Regulator with any possible investigations into the organisation’s handling of information.

Besides these, Regulation 4 of the POPIA Regulations prescribes more duties to be performed by IOs. These include ensuring that:

  • a compliance framework is developed, implemented, monitored and maintained;
  • a personal information impact assessment is done to see if there are adequate measures and standards that allow for the lawful processing of personal information;
  • a manual is developed, maintained and made available as prescribed in terms of PAIA;
  • internal measures and adequate systems are developed to process requests for information; and
  • internal awareness sessions are conducted about the provisions of POPIA, the Regulations, codes of conduct or any other information from the Information Regulator.

PAIA furthermore requires the IOs of public bodies to submit an annual report to the Information Regulator.  Some of the topics required to be set out in this report are the number of requests for access received, the number of requests for access granted or refused, and the number of internal appeals lodged after a request for access was refused.

As for private bodies, the Information Regulator may request private bodies once a year to supply it with information about requests received for access to records.

The duties of other employees re personal information

As mentioned before, the IO is not the only staff member responsible for ensuring compliance with information legislation. All staff should be mindful of their duty of acting responsibly when it comes to handling people’s personal information.

What qualifies as the processing of personal information?

Anything you can do with information on a computer or on paper. That includes enriching, changing, displaying, turning into disc, sending or receiving someone’s information. Processing is defined as any operation or activity, or any set of operations, including the collection, receipt, recording, storage, updating or modification of personal information.

What is personal information?

Definitions:

A data subiect is any person or entity to whom your information relates, whether it is a person or business, prospects, clients or employees.

A responsible party is any public or private body or any other person who/which alone, or together with others, determines the purpose and means of processing personal information.

An operator is someone who processes personal information on behalf of a responsible party but not under their direct control, under the terms of a contract or mandate.

Takeaway

The IO must familiarise themselves with the relevant duties under s55 and Regulation 4 of POPIA legislation. These duties include submitting annual reports to the Information Regulator. Keep in mind that anything you do with another’s personal information on a computer or paper qualifies as the processing of that information – and as such is subject to POPIA.